Security Management at Capital Power. Ross Johnson, CPP Senior Manager Security & Contingency Planning

Transcription

1 Security Management at Capital Power Ross Johnson, CPP Senior Manager Security & Contingency Planning 1

2 Capital Power Capital Power (CPX:TSX) is a growth-oriented North American power producer headquartered in Edmonton, Alberta. The company develops, acquires, operates and optimizes power generation from a variety of energy sources. Capital Power owns more than 3,600 megawatts of power generation capacity at 15 facilities* across North America. An additional 595 megawatts of owned generation capacity (including the Shepard Energy Centre) is under construction or in advanced development. *As of December Excludes the 5-MW Clover Bar Landfill Gas plant. 2

3 Capital Power Generation Portfolio* 4 * Excludes the 5-MW Clover Bar Landfill Gas plant 3

4 Security & Contingency Planning Senior Manager, Security & Contingency Planning Senior Advisor, Physical Security Forensic Investigations Specialist Senior Advisor, Contingency Planning (20%) Security Administrator Security Guard Force (11 people) 4

5 Security Management Program Elements 1. Security Management Program 2. Security Risk Management 3. Information Security Management 4. Personnel Security 5. Physical Security 6. Security Incident Management 7. Contingency Planning 8. Threat Response Planning 9. Evaluation & Review 10. Continuous Improvement 5

6 Security Management Program Vision Statement To assist the Corporation in maintaining a competitive advantage by providing successful, innovative, and costeffective security and contingency planning solutions to ensure the protection of our people, assets, and reputation. Mission Statement To protect the Corporation s people, assets and reputation through leadership, technology, and innovation while building an environment that enables the business through consultation, cooperation, honesty and integrity. 6

7 How We Will Achieve Our Vision All solutions produced by Capital Power Security & Contingency Planning will be tested against three questions: 1. Does it meet the security and cost requirements as agreed in advance with the stakeholders? 2. Does it meet the security requirement with the minimum expenditure of money and resources? 3. Does it meet the security requirement with the minimum use of manpower? A project is not complete until we can answer yes to all three questions. 7

8 Security Risk Management Threat Intelligence Public Safety Canada Natural Resources Canada DHS ES-ISAC Industry Security assessments Facility Risk Profile Monthly evaluation Corporate Hazard Event Risk Profile Monthly evaluation 8

9 Information Security Management Classification and labelling Handling Training Incident reporting and investigation Audit, compliance, and disaster recovery 9

10 Personnel Security Access control Employee terminations Fraud prevention program Governance Risk assessment Prevention Detection Investigation & corrective action Security awareness 10

11 Physical Security Minimum physical security guidelines Vehicle searches Signage standards Chain-link fencing standards CCTV cameras Copper theft prevention Guard force management 11

12 Access Control Facility Type Fence with Top Guard Fenceline Intrusion Detection CCTV/Lighting Electronic Card Access Interior Intrusion Detection Locked Fence Gates with CCTV Locked Exterior Access Doors Visitor Management Background Checks for all Unescorted Personnel Signage Critical Asset Manned Power Plant During Silent Hours Unmanned Power Plant Control Room PEECC Switchyard Non-Critical Asset Thermal Power Plant See Note 1. During Silent Hours Wind Facility Solar Facility Control Room PEECC Switchyard Office Building/Data Centre Construction Site Optional 12

13 Guards Regulatory Requirements Facility Type Fixed Post Mobile Patrols SafeWalk Program Security Shuttle NERC/ARS CIP- 001 NERC/ARS CIP- 002 to CIP-009 Critical Asset Manned Power Plant Unmanned Power Plant Control Room PEECC Switchyard Non-Critical Asset Control Room PEECC Thermal Power Plant Switchyard Wind Facility Solar Facility Office Building/Data Centre Guards may be used if deemed necessary because of local security conditions Capital Power Security will assist with assessment Construction Site 13

14 Security Incident Management Incident reporting Investigations Workplace violence incident management 14

15 Contingency Planning Business Continuity Management Emergency Response Program Crisis Management Planning 15

16 Threat Response Planning Threat and vulnerability assessment Security measures Observation plan Random security measures Response plan Communications Training and review 16

17 Our Next Challenge Our next challenge is the transition to an enterprise security model, integrating physical, cyber, and industrial control system security 17

18 Questions? Ross Johnson, CPP 1 (780)

19 David Godfrey Security & Facilities Manager

20 Texas Municipal Power Agency Texas Municipal Power Agency (TMPA) is a joint action agency created in 1975 by the Texas Legislature to provide reliable electric power in an economically competitive and efficient manner to its four Member Cities. TMPA owns 470 megawatts of power generation and 11 substations all within the ERCOT region. Combined TMPA owns over 18,800 acres of land including a reservoir which is open to the public.

21 Security & Facilities As in most small organizations the Security & Facilities Manager wears a multitude of hats Physical Security Manager Facilities Manager Parks & Recreation Manager Public Relations Manager Communications Manager Special Projects Manager

22 Security Management Elements 1. Physical Security Management Generation Transmission Park All other land holdings 2. Security Risk Management 3. Personnel Security 4. Incident Management 5. Threat Response 6. Security Training

23 Security Management Goals To provide a safe and secure workplace for our employees People come First. and To protect TMPA s assets and reputation by assessing all agency assets and providing appropriate security measures that are reliable, effective, and economical.

24 Security Risk Management Threat Intelligence Joint Terrorism Task Force (JTTF) Local Law Enforcement Texas Fusion Center DHS ERCOT ES-ISAC Our Employees Physical Threat Vulnerability Assessment (TVA) Annual and Spot Check Security Evaluations

25 Personnel Security Access Control CCTV Fraud prevention Governance Anonymous Hotline Prevention Investigation & corrective actions up and including termination Security awareness

26 Physical Security Security Policies and Procedures Access Control CCTV Chain-link Fence Standard Signage Fence Detection Systems Law Enforcement Patrol

27 Security Training Yearly Emergency Coordination Exercise (which always includes a security component) Periodic security reminders to employees (piggy backing, vigilance, reporting) State and Federal Law Enforcement Exercises Local Law Enforcement Exercises Local Fire Department Exercises

28 QUESTIONS?

29 April 16, 2014

30 Tri-State s mission is to provide reliable, cost-based electric energy to our member systems consistent with cooperative principles VP Western Division of G4S Secure Solutions regional conference 2

31 Tri-State Generation and Transmission Association is a wholesale power supplier owned by 44 electric cooperatives and public power districts Serving a population of approximately 1.5 million people VP Western Division of G4S Secure Solutions regional conference 3

32 Tri-State wholly or partially owns, or has power purchase agreements, for a number of generating facilities located throughout its four-state service territory

33 Transmission system Tri-State owns, operates and maintains a 5,213- mile high-voltage transmission network throughout four states 359 delivery points 250,000-square-mile service territory

34 Employees Tri-State employs nearly 1,600 people at offices, power plants and field locations throughout the region

35 Enterprise security mission We will be the enterprise-wide resource for Tri- State regarding the protection of people, information, and assets. We will partner with key personnel to plan, deploy, and maintain programs that promote a customer-oriented, results driven security culture to support compliance while promoting a safe and secure work environment.

36 Enterprise security responsibilities Security force management Investigations Compliance with Tri-State s NERC cyber security standards program Compliance with Tri-State s DHS chemical facility anti-terrorism standards program Electronic security systems management Federal agency and law enforcement liaison Electronic security systems installation Security vulnerability assessments

37 Security force management 37 armed G4S CPO officers in 5 locations Headquarters Lobby entry SOC Area vehicle patrol 3 generation facilities 1 coal mine 1 G4S program manager Recurring training & testing

38 Investigations Type of Investigation Department/Position Responsible Assaults & Crimes against persons: Employee/Employee Assaults & Crimes against persons: Outside Party/Contractor Check Fraud Copyright / Proprietary Information Disciplinary Investigations for Misconduct Due Diligence EEOC (Equal Employment Opportunity Commission) Employee Misconduct Environmental Incidents Internet/ Misuse Inventory Discrepancies/Unexplained Shrinkage: Inventory Inventory Discrepancies/Unexplained Shrinkage: IT Mechanical Failures Misuse or Abuse of Computer or IT Systems OSHA Complaint Outages or Switching Errors Personnel Security and Background Regulatory Compliance Sabotage: Cyber Sabotage: Employee Sabotage: Generation or Production Sabotage: Reliability Safety Related Accident Substance Abuse/Fitness for Duty Theft: Computer/Laptop Theft: Inventory Theft: Tri-State Property (by EXTERNAL party) Theft: Tri-State Property (by INTERNAL party) Travel & P-Card Misuse Workers Comp EMPLOYEE SERVICES ENTERPRISE SECURITY CASH MANAGEMENT LEGAL or OUTSIDE LEGAL HELP EMPLOYEE SERVICE BUSINESS UNIT LEADING ACQUISITION EMPLOYEE SERVICES EMPLOYEE SERVICES ENVIRONMENTAL IT OPERATIONS INVENTORY CONTROL MANAGER ENTERPRISE SECURITY PLANT MANAGERS IT OPERATIONS CORPORATE SAFETY RELIABILITY COMPLIANCE, TRANSMISSION SYSTEM OPERATIONS ENTERPRISE SECURITY and EMPLOYEE SERVICES CORP. SAFETY, EMPLOYEE SERVICES, ENVIRONMENTAL, LAND RIGHTS, FINANCIAL SERVICES, RELIABILITY COMPLIANCE IT OPERATIONS EMPLOYEE SERVICES ENTERPRISE SECURITY RELIABILITY COMPLIANCE CORPORATE SAFETY EMPLOYEE SERVICES ENTERPRISE SECURITY INVENTORY CONTROL MANAGER ENTERPRISE SECURITY EMPLOYEE SERVICES EMPLOYEE SERVICES 3rd PARTY HIRED BY TSGT

39 Compliance Compliance with Tri-State s NERC cyber security standards & DHS chemical facility anti-terrorism standards programs Evolving requirements Documentation Audits Initial & ongoing expense Enterprise-wide awareness

40 Electronic security systems management Access Control Johnson Controls P2000 system 350+ readers in 30+ facilities Surveillance ONSSI Ocularis VMS 300+ cameras in 20+ facilities Axis & VideoIQ 100% digital IP Transitioning legacy equipment to Axis 5MP IP Security operations center Yearly capital improvements 20 per year Security systems technician on staff

41 Federal agency and law enforcement liaison Participation locally in: InfraGard ASIS UASI Quarterly regional contact: FBI DHS State homeland security Local county sheriff Local police

42 Security vulnerability assessments Recurring written assessments 3 years for priority assets HQ, BCC & Hangar Larger power plants Regional service centers 5 years for others CT generation facilities Small service centers Brief results & recommendations to management

43 Challenges Government regulation NERC CIP CFATS Metal theft Safe and secure environment with budget constraints Security officer training Security culture and awareness within business units Preparing for electric utility security in 2020 and beyond

44 VP Western Division of G4S Secure Solutions regional conference 16